Despite the effectiveness of modern spam filters, some highly sophisticated phishing campaigns (including spam attacks)Business Email Compromiseor BEC) manage to infiltrate your employees' inboxes. Once a malicious email containing a booby-trapped attachment or a link to a fake Microsoft portal is delivered to 50 or 100 employees, a time bomb is triggered. It only takes one click from an inattentive user to compromise the business.
In this emergency situation, running after employees to ask them not to open the message is useless. You must eradicate the threat at the source. Find out how to run aglobal mail purge (Soft-Delete)across your entire Microsoft 365 tenant in seconds.
What is Soft-Delete?
Global Purge is a surgical email remediation action that leverages Microsoft Graph Security APIs. Unlike a manual deletion performed by the user (which moves the message to the local trash, where it remains accessible), theSoft-Deleteextracts the email from the user's inbox and visible structure and places it in a hidden retention space, accessible only by security administrators.
To precisely target the malicious email across all of the organization's mailboxes, the system uses a universally unique identifier generated by Microsoft when the message is received: theNetwork Message ID(networkMessageId). This technical footprint guarantees that only the phishing email will be deleted, without any risk of impacting the legitimate emails of your employees.
One-click remediation via the Akuity SOC Ticket Panel
On Microsoft's native administration tools, launching a search and an email purge remediation action requires mastering the compliance modules (Compliance Center), create a content search rule, then run a PowerShell command line deletion script. This complex process typically takes between 15 and 30 minutes, far too long when the security of the organization is at stake.
The Akuity SOC orchestrator reduces this critical operation to an intuitive action within the ticket lifecycle.
1. Centralization of evidence
When a phishing alert comes up, the SOC analyst opens the corresponding ticket in the Cockpit. Within the tab"Proofs"(managed by the componentTicketEvidence.tsx), the system intelligently brings together all the entities involved. If the attack used the email vector, the "Impacted emails" section is automatically displayed, listing the subject of the email, the malicious sender and itsnetworkMessageId.
2. The visual and secure trigger
Next to the suspicious email, the interface displays an animated, flashing trash can icon. A click on this icon triggers the actionsoftDeleteEmailOnTenant. As with all destructive or high-impact orders on the platform, the system requires immediate validation of the analyst's second factor authentication (MFA).
3. Eradication by the Graph Security API
As soon as the valid TOTP code is entered (session raised to AAL2 trust grade), the Akuity backend sends an HTTP request to the Microsoft Graph security remediation endpoint:/beta/security/remediations. The API instructs Microsoft 365 to pull the message from all boxes in the tenant simultaneously. A notification toast confirms the success of the operation, and the trash icon stops, indicating that the threat has been eradicated.
Conclusion: get ahead of the user's click
Messaging security can no longer be satisfied with a passive posture. When a phishing email slips through the cracks, the ability to purge the entire tenant by the second is your best line of defense. By automating this action via a unified SOAR interface, you neutralize the threat before your employees even have time to open their inbox.
A phishing campaign targeting your teams?> Discover the power of ourAgentless Microsoft Security SOAR Orchestratorand learn how to purge malicious emails in one click.